Getting SSL Certificates Using ACME Clients

Previously I discussed the growing importance of SSL and HTTPS, in particular, how they may help protect user privacy. To run an application that supports SSL or HTTPS, one must obtain a SSL certificate. Although SSL certificates have become less costly and some vendors even offer free SSL certificates, there are still a few barriers for many users, such as, a user still needs to manage renewal, suspension, and installation of SSL certificates, and very few vendors provide free SSL certificates. Recently, the development of "Automatic Certificate Management Environment (ACME) protocol" has made the adoption SSL or HTTPS and acquiring SSL more easily.

The following example demonstrates the steps to use an ACME client, the certbot to acquire and install certificates for an Apache HTTP Server instance at a CentOS 7 system.

1. Install CentOS 7
2. This step and the steps that follow are done at the CentOS 7 system. Install Apache HTTP Server with mod_ssl.

   
       sudo yum install httpd mod_ssl
       

3. Enable and start the HTTP service.

   
     sudo systemctl enable httpd.service
     sudo systemctl start httpd.service
     

4. Enable the EPEL repository.

   
     sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
     

5. Install certbot, an ACME client from the EPEL repository.

   
      sudo yum install certbot-apache
     

6. Acquire SSL certificates from "Let's Encrypt", and install them at the Apache HTTP server.

   
     sudo certbot --apache
     

7. The certificates are set to expire in 90 days. Therefore, we need to set up an automatic renewal, which can be done either in a systemd/Timers or a cron job. Below is a cron job. However before proceeding to schedule a renewal job, we can test the renewal via the following,

   
     certbot renew --dry-run
     

8. We now schedule the renewal job twice a day as advised by the "Let's Encrypt" site.

   "If you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks."

   Following the advice, a cron job runs twice is added via crontab -e as root.

   
     0 5,17 * * * /bin/certbot renew > /var/log/certbot.log 2>&1
     

9. To test your HTTPS site, you may use SSLLab's service. For instance, if you site is www.example.com, you can point your browser to https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com&latest

Except the certbot, there are many other ACME clients. See the Let's Encrypt site for a recommended list.

HTTPS Everywhere Arrives at Blogger!

A couple of weeks ago I wrote a blog post on how we may preserve privacy while browsing the Web. One particular technology that we can rely on is HTTPS, for which, I mentioned The Electronic Frontier Foundation's HTTPS Everywhere browser plugin. See the blog post for more discussion.

Today, I am happy to learn that Google has rolled out the HTTPS support to Blogspot based their blog post released on September 30, 2015.

This is fantastic!

Let us push HTTPS Everywhere!

As indicated in the Google's blog post,

"

Blogspot authors should be aware that if they choose to encrypt at this time, some of the current functionality of their blog may not work over HTTPS. This can be a result of template, gadgets, and blog post content, and is often caused by mixed content errors, some of which may be fixable by the author themselves.

"

If you blog site rely on your own web services that are availed via the HTTP protocol, you may have to make it available via the HTTPS protocol. You actually can obtain free SSL certificates for your web services, at least from two providers at the time this post is written.

Well, having stated the above, although I enabled HTTPS on this blog site, I have not be able to tested all the posts and functionality. Readers, if you happen to spot a "mixed content" error on this blog site, please let me know. I am most appreciative for that.

Free SSL Certificate for Securing Email and Websites

I have been looking for free SSL certificates for enabling HTTPS on a few web servers. HTTPS has been promoted by many organizations and individuals because it provides privacy and anonymity to eavesdroppers besides other benefits. The performance penalty of running a HTTPS web server than HTTP counterpart appears to be small.

Finally, I found these two free certificate providers,

• The WoSign Free SSL Certificates
• The StartSSL™ Free (Class 1) certificates

Since SSL certificates are for authenticating domains and encrypting network traffic, those who are acquiring the certificates must go through a validation process. The Wikipedia article on Public key certificate has an discussion on it. Based on the rigor of the vetting process during the validation, the validation process are categorized as "Domain Validation", "Organization Validation", and "Extended Validation".

The above free certificates only require "Domain Validation", which is probably the reason that the vendors could provide them for free since the "Domain Validation" can be automated via electronic means, i.e., via emails sent to domain registrants listed in the WhoIs database, or via HTML documents uploaded to websites to be secured.

Modern web browsers typically turn the address bar green if the certificate of a visited website passed Extended Validation.

StartSSL describes the free certificates well on their site as follows,


"

Because the checks are performed mostly by electronic means, they require only minimal human intervention from our side. The validations are here to make sure, that the subscriber is the owner of the domain name, resp. email account. You may find additional information on this subject in our CA policy.

The StartSSL™ Free certificates are intended for web sites which require protection of privacy and prevent eavesdropping. However information presented within these certificates, except the domain name and email address, are not verified. Should you need higher validated certification, please check out our StartSSL™ Verified (Class 2) certificates.

"

I tried the WoSign Free Certificates because WoSign provides certificates of 3-year period while StartSSL only provides 1-year period. As lazy as I am, a 3-year period certificate does save me a few key strokes to renew and install the certificates on the websites.

The process is simple.

1. Sign up an account on the WoSign's Free SSL Certificate web page.
2. Go back the WoSign's web page with the account information
3. Request certificates, for which, I chose to generate a Certificate Signing Request (CSR) myself. In my case, I use OpenSSL as follows,
   

   
   openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr
   

   
   Then, copy and paste the content of the CSR to the WoSign's page in which the certificate is being requested.
   
   Note that the key length must be 2048-bit long. Save mywebsite.key for a late use (in step 5).
   
   
4. Validate the website owner ship by uploading a HTML document provided by WoSign to the website under the website's web root directory
5. Upon completing the validation install the certificate. I am running an Apache web server. It requires me to uncomment or update these three lines in the configuration file (that is, in my case, /etc/httpd/conf.d/ssl.conf)
   

   
   SSLCertificateFile     /etc/pki/tls/certs/2_mywebsite.crt
   SSLCertificateKeyFile  /etc/pki/tls/private/mywebsite.key
   SSLCACertificateFile   /etc/pki/tls/certs/1_root_bundle.crt
   

   
   Note that in the above 2_mywebsite.crt and 1_root_bundle.crt are from WoSign and mywebsite.key is the secrete key generated in step 3.
   
6. Restart the Apache web server, in my case,
   

   
   systemctl restart httpd.service
   

   
   
7. Final step is to test the website is up and the certificate is installed properly. To verify that the website is up, grab a computer and point a web browser to the website's URL using the HTTPS protocol. To verify the certificate is installed propertly, simply click on the "lock" icon next to the website address in the address bar of the web browser. The browser will show the certificate information.

If you have spotted and tested free SSL certificates from other vendors, please share with me via commenting on this post.